Tag: Digital Forensics

In the latest update, Elcomsoft Distributed Password Recovery introduced a new feature that allows managing the available computational resources. The new resource management capability allows administrators to manage and distribute the available computational resources across multiple jobs. The feature enables users to tap into a pool of available resources by requesting a certain number of recovery agents. The reserved recovery agents will be allocated, allowing multiple jobs to run separately at the same time.

In essence, the new resource management capability simplifies the process of managing and utilizing the available computational resources by several jobs, ultimately leading to improved efficiency and scalability.

Concurrent multitasking

In large organizations, there are often cases where various tasks need to be solved concurrently, and password recovery is no exception. At certain times, there may be multiple tasks with equal priority.

Elcomsoft Distributed Password Recovery in its classic shape has queues that are engineered to solve password recovery jobs consecutively and not in parallel, regardless of how much or how little computational resources are available. The tool includes numerous “agents,” which are powerful workstations with the EDPR agent apps installed on them, and a single server that controls and coordinates password recovery jobs by allocating all available computational resources to a single job on the top of the queue. The server in turn is managed through a GUI (we call it “console”), which is the user interface to interact with.

Users can run the console app on more than one computer, but a single EDPR license limits each console to a single server. If more than one license is available (thus several servers are available on the network), then each console can switch between those servers. Each server maintains its own job queue, and connects to its own, dedicated pool of agents, while each agent can only connect to a certain server (and cannot talk to other servers on the same network).

Several EDPR servers and thus several EDPR licenses are required to enable multiple password recovery jobs to work concurrently. As a result, each operator had their own server and a certain number of agents within their license framework. The sets of agents for different servers (and thus different users) did not intersect; each specific agent could only talk to its own server. If only one user was working, they only had access to the number of agents included in their license. This configuration led to resource idle time if no tasks were being run by a given user (or, rather, by a given server). In such cases, its agents – and consequently, the computers on which they were installed – remained idle.

To address this situation, we have added a new feature that allows for more efficient distribution of computational resources. The new administrative server enables splitting the available computational resources into any number of clusters, each of which can contain the maximum number of agents within the license of a particular workplace. Each computational cluster is connected to a separate server and can work on its own password recovery job.

How it works

Users can request the necessary computational resources from the administrator, who will allocate them through the new administrative server. The process can be best understood from the following diagram:

Licensing

For inquiries regarding the licensing of Elcomsoft Distributed Password Recovery with resource management support, please contact our sales team at sales@elcomsoft.com

The bootloader vulnerability affecting several generations of Apple devices, known as “checkm8”, allows for forensically sound extraction of a wide range of Apple hardware including several generations of iPhones, iPads, Apple Watch, Apple TV, and even HomePod devices. The exploit is available for chips that range from the Apple A5 found in the iPhone 4s and several iPad models to A11 Bionic empowering the iPhone 8, 8 Plus, and iPhone X; older devices such as the iPhone 4 have other bootloader vulnerabilities that can be exploited to similar effect. In this article, we will go through the different chips and their many variations that are relevant for bootloader-level extractions.

What’s “checkm8”?

checkm8 is a bootloader-level exploit that enables low-level access to the device’s file system, encryption keys, and keychain, making it a valuable tool for security professionals. While the exploit itself does not alter any data on the device’s system or user partitions, its various implementations, including the checkra1n jailbreak and many proprietary implementations in various forensic tools, are not nearly as forensically sound as the underlying exploit.

While checkm8 gained the most attention, older devices (prior to the A5 chip used in the iPhone 4s and several other devices) have similar bootloader exploits known as limera1n, SHAtter, steaks4uce, and Pwnage 2.0. For this reason, we prefer talking about “bootloader exploits” and “bootloader-level extractions” rather than “checkm8”.

Our solution

We strived to make our implementation truly exemplary. Bootloader-level extractions performed with iOS Forensic Toolkit are both repeatable and verifiable, making them fully compliant with the requirements of forensically sound investigations. We have solved all common issues that can occur with this method, and support practically the entire range of iOS versions that can be installed on vulnerable devices starting from iOS 3 all the way up to the currently latest iOS 16 builds supported by these platforms. Our solution is truly universal, supporting most iOS beta versions and over-the-air updates, with a notable exception: at this time, iOS 17 is not supported.

iOS 17 can be installed on the following devices:

• iPad 6, 7, and iPad Pro 1, 2
• Apple TV HD, 4K
• HomePod

We are working hard on adding support for the latest iOS 17 builds for those devices.

Critical to forensic examinations is the precise detection of iOS version installed on the device. We developed a unique method that can reliably determine the exact system version installed on the device based on various bits and pieces available through DFU mode. The latest iteration excels in handling atypical scenarios such as interrupted OTA updates thanks to obtaining the required data directly from the SEP (Secure Enclave Processor).

Furthermore, our bootloader-level extraction method is engineered for cross-platform functionality, available in macOS and Linux editions, with Windows compatibility on the horizon.

Compatibility matrix

We’ve listed all compatible models in the following graph.

Click to expand

The following are some interesting nuances:

1. Low-level extraction with enhanced support for 32-bit models
   • Blue indicates 32-bit models: For these devices, we offer comprehensive forensic analysis, including the extraction of full dumps and decryption, with the possibility of passcode unlock.
   • Green denotes 64-bit models: While these devices incorporate Secure Enclave, we still provide comprehensive forensic analysis, sans passcode unlock. Notably, devices like Apple TV and HomePod lack Secure Enclave and the passcode.
2. Apple Watch chip variants
   • Supported Apple Watch devices feature distinct chips: S1, S1P, S2, and S3, each with unique capabilities.
     • Apple Watch S0: S1
     • Apple Watch S1: S1P
     • Apple Watch S2: S2
     • Apple Watch S3: S3
   • Notably, the S1 chip, akin to A6 on iPhone 5/5c, supports APFS despite 32-bit architecture, which presented a unique challenge. We are currently developing a passcode unlock method for this chip.
3. File system variations
   • 32-bit devices utilize HFS file system, while 64-bit devices typically transition to APFS from iOS 10.3 onwards (and HFS for versions prior to iOS 10.2), with the exception of abovementioned Apple Watch.
4. Exploits and vulnerabilities
   • We leverage multiple exploits for forensic access, including checkm8, which we use exclusively for devices from A5 onwards. For older devices, we’re using limera1n, SHAtter, steaks4uce, and Pwnage 2.0, ensuring broad device coverage and access.
5. Support for X variant chips
   • Certain iPad and Apple TV models feature X variant chips, which are modified versions of the corresponding iPhone SoC (e.g. the first-gen Apple TV 4K uses Apple A10X, which is also used in in the 10.5″ iPad Pro and the second-generation 12.9″ iPad Pro). While specifics may vary, we ensure comprehensive support, with tailored exploit implementations where necessary.
6. Variants in iPad models
   • iPads come in Wi-Fi and 3G/LTE variants, each with its nuances. While some forensic vendors may support only one variant, we offer full support for all configurations with no exceptions.
7. Global model versions
   • Most device models have regional variations for different markets (e.g., U.S., European, and Asian markets). Our solution provides comprehensive support for all of these versions.
8. Challenges with A5 chip
   • The A5 chip in its three incarnations used in the iPhone 4s, iPod Touch 5, iPad 2 and 3, the original iPad mini, and Apple TV 3, poses significant challenges for exploit implementation. This chip required us to develop a unique, highly specialized approach based on a Raspberry Pi Pico board with custom firmware.

Conclusion

Our tool’s enhanced capabilities not only overcome common forensic challenges but also delve into the nuances of the many device models, versions, and SoC variations, providing forensic specialists with a comprehensive toolkit for in-depth analysis across a wide range of mobile devices.

In the upcoming iOS 17.4 update, Apple is introducing significant changes to its App Store policies for apps distributed in the European Union. The new policy brings multiple changes, one of them being alternative app marketplaces (which are effectively third-party app stores). These changes have both technical and financial implications for developers, but do they bring news to the digital forensic crowd? Let’s have a look into what Apple’s new policy brings and how it may impact forensic experts.

Apple has announced updates to iOS, Safari, and the App Store, affecting the developers operating within the European Union (EU). The changes were required to adhere to the EU’s new Digital Markets Act (DMA). The new rules bring changes into the app distribution process on iOS, as well as opening the iOS ecosystem to third-party payment processing, third-party Web browser engines, and more. These changes only affect developers whose apps are available and distributed within the EU. Developers who wish to maintain the status quo do not need to take any action, and can continue distributing their apps exclusively on the App Store if they choose so.

While the forthcoming iOS update will allow distributing apps through alternative app marketplaces, it is unlikely that the changes will affect mobile forensics due to stringent requirements for third-party marketplace operators as well as Apple’s notarization requirements for apps distributed through such marketplaces.

Summary of technical changes

Third-party app stores (alternative app marketplaces): iOS 17.4 will allow users to install alternative app marketplaces, marking a departure from Apple’s previous closed ecosystem.

Verification of alternative app marketplace operators: Operators of alternative app marketplaces will undergo scrutiny from Apple to ensure compliance with guidelines and regulations. It is highly unlikely that any forensic vendor would be able to maintain an third-party app store for the purpose of installing extraction agents, and it is also unlikely that any authorized third-party marketplace would accept the extraction agent for distribution.

Notarization requirement for third-party distribution: Developers intending to distribute their apps through third-party marketplaces must still obtain notarization from Apple, which involves automated and manual checks for viruses and other security threats. Notably, the low-level extraction agent is precisely the app that would be rejected according to these rules as the agent implements undocumented exploits for escalating privilege level and escaping sandbox.

Encryption and signing of notarized apps: Notarized apps will be encrypted and signed by Apple to enable their distribution through alternative app marketplaces.

Binary compliance checks: For apps installed through alternative app marketplaces, iOS will conduct checks to ensure the downloaded binaries comply with security standards. If a threat is detected within a binary, it will be prevented from launching and its notarization will be revoked, preventing its execution and further distribution.

How these changes affect mobile forensics

Theoretically, an alternative app marketplace could be used to install the extraction agent onto the phone for the purpose of low-level extraction (currently, the extraction agent must be sideloaded, a process that can be described as cumbersome at best). The extraction agent is an iOS app that attempts to obtain extended (usually root) privileges and escape the device’s sandbox. This in turn enables access to the data in all the folders, and allows experts accessing all the files on the device, as well as the keychain.

There are multiple roadblocks barring the extraction agent from using this avenue. Privilege escalation is based on chains of exploits which Apple fairly views as a security threat. As a result, no alternative app store operator will likely accept such an app. Even if they would, Apple’s notarization requirements will never be met, and even if they would, the final iOS binary check would prevent the agent from launching, all while revoking its notarization.

Financial implications

While financial implications of the new Apple policy do not directly affect mobile forensics, it was still interesting to see how these changes affect revenues.

No commission for third-party distribution: Apple waives its commissions on sales of digital goods for apps distributed through third-party marketplaces. Commissions will only be charged for apps distributed through Apple’s own App Store.

Third-party payments: There is now an option for third-party payments that is structured in a similar way to the US (see Changes to U.S. iOS App Store Policies Allow External Purchase Links). While third-party payment options are introduced, Apple’s commissions still apply, but only if the app is distributed through the App Store. This marks an important departure from the U.S. policy.

Apple’s classic commission model: Currently, Apple’s taxes developers by charging commissions of up to 30%. Developers who don’t wish any changes may continue operating with this business model.

Reduced commission: For those developers opting to distribute their apps through App Store and/or third-party stores, Apple offers a new business model with reduced commissions of 10% or 17% for digital goods and services. According to the company, “iOS apps on the App Store will pay a reduced commission of either 10% (for the vast majority of developers, and for subscriptions after their first year) or 17% on transactions for digital goods and services, regardless of payment processing system selected”. Notably, even these reduced commissions only apply to sales through Apple’s own App Store, but keep reading…

Core Technology Fee (CTF): Developers opting for the new business model with reduced commissions and the ability to distribute through alternative marketplaces will have to pay if their apps exceed 1 million installs a year. For apps surpassing one million installations annually, Apple imposes a fee of 50 cents per first annual install per year over a 1 million threshold. Apparently, the Core Technology Fee only applies to developers who opt for lowered commission rates and the ability to distribute through alternative marketplaces. Developers have the option to bypass that fee by sticking with Apple’s current terms, though this would mean they lose the opportunity to distribute their iOS apps through alternative marketplaces and miss the lowered commission rates.

We’d like to quote Macrumors’ Juli Clover, who gives an excellent breakdown of the available options:

• Current App Store Agreement – Developers pay Apple a 15 to 30 percent commission. Under one million in revenue is a 15 percent commission through the ‌App Store‌ Small Business Program, over $1 million results in a 30 percent commission. Subscriptions require a 30 percent commission for the first year, and a 15 percent commission for the second year and beyond.
• New terms, App Store distribution – Commission drops to 17 percent from 30 percent, and 10 percent from 15 percent. There is an additional fee of 3 percent for using Apple’s payment system, so the commission would be between 13 and 20 percent for a developer that opts for the new rules and uses in-app purchases. The 3 percent fee does not apply for developers who use alternative payment systems. Developers must also pay €0.50 per app install per user each year after 1 million app installs.
• New terms, alternative app store distribution – No commission, but developers must pay €0.50 per app install per user annually after 1 million app installs.

Conclusion

With the introduction of changes announced for the upcoming iOS 17.4, Apple has taken a step towards opening up its ecosystem, albeit exclusively within the EU. While these changes hold the potential to greatly influence the industry, particularly in terms of app distribution and payment processing, their impact on mobile forensics is expected to be minimal. This is primarily due to stringent review policies, local iOS security checks, and notarization requirements, which serve to maintain the security of the platform while barring apps such as the extraction agent from using the new distribution avenue.

With the launch of the Super update of 40-Series NVIDIA GPUs, the company’s product lineup has become quite complex. In the 4070 series alone, four models of the NVIDIA GeForce RTX are available: the original 4070, 4070 Ti, and now also 4070 Super, and 4070 Ti Super. Understanding the differences between these cards and learning which models offer the best price/performance ratio in password recovery jobs are crucial considerations for IT professionals.

Why GPU for password cracking?

In certain tasks, the massively parallel compute units of today’s GPUs deliver performance far surpassing that of your computer’s CPU, all while maintaining similar power consumption. Our products support a hardware acceleration technology, employing the available computational power of modern GPUs to speed up password recovery attacks. Our tools have support for GPUs built with AMD, Intel, and NVIDIA chips, yet we consistently recommend NVIDIA cards for their maximum stability and reliability in 24×7 environment.

Our acceleration technology offloads some of the complex computations onto fast and scalable compute units (NVIDIA CUDA cores), which results in password recovery speeds going up by a factor of 25 to 250 compared to the central processor.

NVIDIA RTX 40 series

The first GPUs released in the Ada Lovelace powered 40-Series were the powerful NVIDIA GeForce RTX 4090 and 4080 boards, announced at the end of 2022. These boards were followed by the lower-performance models. The original lineup included the RTX 4090, 4080, 4070 Ti, 4070, 4060 Ti (in 8GB and 16GB versions), and 4060.

We benchmarked some of these GPUs in NVIDIA RTX 40 Series Graphics Cards: The Faster and More Efficient Password Recovery Accelerators, and concluded that the mid-range NVIDIA GeForce RTX 4070 Ti was faster than the last-gen champion RTX 3090, all while consuming less power. The new RTX 4070 gets about 40% higher performance and about 30% lower power consumption at the same time compared to the older but similarly priced RTX 3070 Ti board. This made a strong point in recommending the Ada Lovelace generation over Ampere for password recovery tasks.

In January 2024, NVIDIA refreshed the lineup, adding several models labeled as “Super”. The “Super” versions included the 4080 Super, 4070 Ti Super, and 4070 Super; the lower-end models of GPUs did not receive an update. NVIDIA then discontinued some of the older models (4080 and 4070 Ti), although they can still be found for sale. Meanwhile, both the 4070 and 4070 Super cards continue to be part of the company’s current lineup, while the RTX 4070 received a price cut. The new lineup is not very straightforward, especially considering that discontinued models are still sold in retail alongside with refreshed cards. Understanding the variety of GPU models and the performance they offer is important when choosing a GPU for password recovery jobs.

For password recovery, the amount of VRAM is largely irrelevant. All else being equal, there will be no difference in sheer attack speed between the NVIDIA GeForce RTX 4060 Ti (8GB) and GeForce RTX 4060 Ti (16GB) variants, yet the later costs more than the former. However, the 16GB 4070 Ti Super not only doubles the amount of VRAM compared to the now discontinued 12GB 4070 Ti but also expands the interface width from 192 to 256 bits, all while upping the number of execution units. As a result, the “Super” version of the 4070 Ti delivers a 10% performance increase in double precision computations.

Speaking of performance, one can benchmark video cards in many different ways, while expressing the results in different units. We don’t have the ability to test all GPU models in our setup, so for apples to apples comparison we rely on the data in the spec sheets as well as the data obtained from independent sources. Specifications list numbers for Single precision, Double precision, Half precision, FP16, and TFLOPS; for password recovery tasks, only the Double precision metric is relevant. Comparing different models (importantly, within the same architecture) based on this metric alone allows us to fairly accurately predict their relative performance. With this information, you can assess their performance in certain tasks; we suggest using the numbers from our test as a base.

Note: Additional test data is available in the full article.

Our price/performance numbers are based solely on U.S. MSRP prices. Street prices may and do differ; please bear that in mind when shopping for the most cost effective board. Finally, make sure to understand the effect of the boards’ TDP to build an efficient, well-cooled and adequately powered setup.

Note: The specifications listed above are for reference only and may vary based on the OEM and specific model.

The latest update to iOS Forensic Toolkit brought the ability to mount HFS disk images extracted from legacy Apple devices as drive letters on Windows systems. This new capability to mount HFS images on Windows empowers experts to efficiently process and analyze digital evidence extracted from legacy Apple devices on Windows-based computers. This article provides detailed instructions on using the new feature.

Why HFS images?

When performing low-level extraction of legacy Apple devices built with 32-bit architecture, iOS Forensic Toolkit employs a forensically sound process called perfect HFS acquisition. During this process (which is only available if you are using a Mac or Linux edition of iOS Forensic Toolkit), the tool produces a full, bit-precise image of the data partition. The image can be decrypted by using the keys that are also extracted during the process.

These older devices use HFS as a file system. While mounting HFS images in macOS can be done seamlessly, Windows does not support such disk images or even recognize HFS as a file system. The integration of HFS support into Windows requires a custom implementation of a fused file system, which we are now supplying as a licensed version of WinFsp runtime. Notably, WinFsp is not a ready-made tool that would allow mounting a disk image via a graphical user interface; instead, it is a set of free open-source libraries for mounting filesystems on Windows that had to be integrated into iOS Forensic Toolkit to work. While it’s primarily used for non-commercial purposes, a license is required for commercial products, which we have obtained for our toolkit. WinFsp’s installer is now supplied with our software, enabling users to easily utilize the mounting feature on Windows. However, if WinFsp is not installed, this feature will not work. To install WinFsp, launch its installer from the folder where EIFT is installed. Note that the feature is native on macOS and is also available in the Linux edition via FUSE (requires libfuse dependence).

Mounting DMG files on Windows serves several purposes. First, many commonly used forensic tools are incompatible with DMG files, but can easily work with extracted folders instead. This makes it simpler to manually explore and analyze the contents of DMG files, checking various databases and settings within the extracted folders. Third-party commercial tools such as Paragon HFS+ for Windows, HFSExplorer, and DMGExtractor are available, offering alternative solutions for handling HFS files on Windows systems.

Overall, while DMG files can only be created on macOS (and Linux), the ability to analyze them using various tools, including UFED, is now greatly simplified.

Forensically sound read-only mounting

iOS Forensic Toolkit mounts HFS images in read-only mode, which is the only forensically sound mode. While read-only is the safest mode, you may experience some hiccups when using certain tools such as some SQLite editors to examine SQLite databases found in the file system. Some of such tools will fail to open a SQLite database as they will try creating temporary files alongside with the main database, and fail due to read-only mode. If you need to use such tools, we strongly recommend copying the files off the mounted disk image to your computer and opening them there; otherwise one would inevitably modify the original disk image and thus accidentally tamper with evidence.

Walkthrough

You will have two options when mounting HFS images with iOS Forensic Toolkit. The first option mounts the original, encrypted image; the second mounts the already decrypted image.

To mount the original, encrypted disk image use the following command:

eift_cmd hfstool --mount -i data.dmg -k keys.plist

Note that you will need to provide the full path to both the DMG file and the keys unless you are running the command from the same folder where they are located. Please refer to Perfect Acquisition Part 4: The Practical Part for more information about the disk images, encryption keys, and decryption process.

To mount an already decrypted image use the following command:

eift_cmd hfstool --mount -i data_dec.dmg

Once you execute one of the two commands, a console window will open:

Do not close this window while working with the mounted image. Closing iOS Forensic Toolkit will automatically dismount the disk image.

The file system will be mounted as a first available drive letter:

At this point, you can manually examine the content of the file system.

Compatibility

The current version of iOS Forensic Toolkit supports the following devices/OS versions (please note: HFS imaging/mounting is not supported on any devices listed in the table below).

Conclusion

In a controversial move, Apple is implementing major changes to its U.S. iOS App Store policies, granting developers the ability to direct customers to non-App Store purchasing options for digital goods. This update permits users to make in-app purchases through an alternative method. However, Apple will continue to collect a commission ranging from 12 to 27 percent on content purchased through this avenue, providing only a 3 percentage points commission cut compared to purchases made through the official Apple App Store.

This move is not unprecedented. In Netherlands, the company had to comply with an order from the Netherlands Authority for Consumers and Markets (ACM), allowing developers distributing dating apps on the Netherlands App Store to “use a third-party payment system within the app, include an in-app link directing users to the developer’s website to complete a purchase, or use a third-party payment system within the app and include a link directing users to the developer’s website to complete a purchase” (source). In Russia, the company allowed developers from Russia to add payment links to applications outside the App Store system (WNHub) to comply with a court order, which is not directly accessible to visitors outside of Russia. The company’s official statement on the matter is not accessible to anyone but developers with Russian developer accounts. Finally, Apple states that the Telecommunications Business Act in South Korea mandated that apps distributed by app market operators in South Korea be allowed to offer an alternative payment processing option within their apps.

Apple’s new U.S. iOS App Store policy does not quote any legislation or court order. In an update to App Store Review Guidelines, Apple states:

• Added 3.1.1 (a): Link to Other Purchase Methods. Developers may apply for the StoreKit External Purchase Link Entitlement (US) to provide a link in their app to a website the developer owns or maintains responsibility for in order to purchase such items.

Developers opting for this alternative will be required to apply for a StoreKit External Purchase Link Entitlement, as outlined in the updated ‌App Store‌ Review Guidelines. With this Link Entitlement, developers gain the ability to guide users to an external purchasing mechanism. Such entitlement, if granted, is restricted to use only in the App Store on the United States storefront. In all other storefronts, apps are prohibited from including buttons, external links, or calls to action leading customers to purchasing mechanisms other than official in-app purchases.

According to Apple, a commission will still apply to digital purchases facilitated through the StoreKit External Purchase Link Entitlement (US). The External Purchase Link Entitlement commission will be reduced by 3 percentage points compared to the fee charged for purchases made through the official App Store. This makes it a 27 per cent fee for purchases and one-year subscriptions, while the fee drops to 12 percent on the second year of a subscription.

Additional information:

U.S. Developers Can Now Offer Non-App Store Purchasing Option, But Apple Will Still Collect Commissions – MacRumors

Distributing apps in the U.S. that provide an external purchase link – Support – Apple Developer

 

 

When equipping a forensic lab, having a diverse set of tools is extremely important due to their diverse, rarely overlapping capabilities, and the need for cross-checking the results. With that many tools, compatibility is crucial. This is why we went a long way to ensure that any data extracted with our mobile forensic tools can be opened in many popular forensic analysis tools.

Our mobile extraction tools

As we specialize in mobile extractions, our tools have a number of unique features one is unlikely to see in competing products. These include:

Forensically sound checkm8 extraction: Our implementation of the checkm8 exploit enables unparalleled compatibility, spanning from iPhone 3Gs with iPhone OS 3.0 to the latest devices equipped with chipsets that are vulnerable to the bootloader exploit. Our checkm8-based solution is not only the most compatible one, but one of the few tools offering true forensically sound extractions with repeatable, verifiable results.

Low-level extraction agent: We developed a unique extraction agent designed for low-level file system extraction and seamless keychain decryption, offering the widest compatibility and refined usage experience. While many tried to replicate our innovative tool, it’s the seamless compatibility and the “refined” part of the usage experience that our competitors still struggle with.

Support for Apple ecosystem: Our extraction tools boast comprehensive support extending across the entire Apple ecosystem. We can extract data from Apple Watch, Apple TV, and Apple HomePod devices in addition to iPhones and iPads.

However, as we specialize in data extraction, we trust subsequent phases to those who specialize in making analysis tools. While certain types of data might be manually examined, specialized software remains the preferred option. Despite the number of vendors and solution available to forensic experts, Cellebrite Physical Analyzer remains our tool of choice, being the most compatible and arguably the finest product available for analysis.

The analysis stage

Extracting data from the device is just the beginning of a forensic investigation. Once data is obtained, the analysis stage comes into play. While some types of data (such as passwords extracted from the keychain) can be reviewed manually, the sheer amounts of information found in a typical modern device mandate the use of specialized software. This is where the choice of software becomes crucial, impacting the thoroughness and accuracy of the investigation.

Cellebrite Physical Analyzer is one of the better tools in this regard, not only due to its exceptional compatibility but also owing to its robust analytical capabilities, making it indispensable in any forensic lab. Our unique extraction capabilities in Apple ecosystem combined with forensic analysis tools like Cellebrite Physical Analyzer enable thorough and effective forensic investigations.

Remember: trust, but verify. Even if you are using the very best forensic tools, do not blindly rely on something, even if everything looks consistent. Despite the proven quality of the software, errors and omissions, both on the human side and software side, can still occur. It is crucial to manually check and verify everything to ensure accuracy and reliability. There is no magic button labeled “Generate a crime report and add supporting evidence”; you still need thorough manual examination. This principle reminds to stay vigilant and take responsibility for ensuring the integrity of the information you rely on.

Importing extraction agent data

The low-level extraction agent (part of Elcomsoft iOS Forensic Toolkit) returns a file system image (.tar) alongside the keychain (.xml). Unpacking a .tar file is relatively simple (yet it may be rather slow depending on the size of the data set), yet analyzing the keychain is a bit more difficult. The keychain holds vital information, such as the user’s authentication credentials, logins and passwords, tokens,  and encryption keys that can be used to decrypt certain types of data, such as Signal conversations. Some products mandated the keychain to simply exist adjacent to the .tar file, possessing a specific name corresponding to the name of the .tar archive. This naming convention does not coincide to what we use in our product, and Cellebrite has ingeniously and elegantly circumvented this limitation (as seen on the screenshot).

Legacy devices

For older 32-bit devices lacking Secure Enclave, we resort to a unique physical extraction method called Perfect HFS Acquisition, preserving the device image in a DMG format. Cellebrite supports this process, with one omission: there is no keychain support when opening .dmg files in Cellebrite Physical Analyzer. We hope the company will fix this issue in future builds, while other vendors drop support for legacy formats altogether.

Opening EIFT data sets in Cellebrite Physical Analyzer

Once you’ve successfully extracted a data set using the Elcomsoft iOS Forensic Toolkit, follow these step-by-step instructions to open and analyze the extracted data in Cellebrite Physical Analyzer:

Select File | Open case…:

• Open Cellebrite Physical Analyzer and navigate to the menu bar.
• Click on “File” and then select “Open case…”
• Under “Load evidence”, press “+ Add”:

In the “Load Evidence” window, click on the “+ Add” button. Select “Open (Advanced)”:

Select “Select Device”:

After selecting “Open (Advanced),” choose the option “Select Device” to specify the extraction type.

For Agent Extraction:

• Search for “Elcomsoft” in the available options and select “Apple iOS ElcomSoft”
  
  Choose “ZIP archive” and browse for the .tar file containing the full file system image extracted by Elcomsoft iOS Forensic Toolkit.
• Select “ElcomSoft Keychain.xml” and browse for the keychain file extracted by Elcomsoft.
• Proceed to the next step.

For DMG Extraction:

• Search for “physical” to filter the available extraction types.
• Choose “Apple iPhone (Physical)” as the device type.
• Select “Image” and browse for the .dmg file extracted using Elcomsoft iOS Forensic Toolkit.
• Proceed to the next step.

Agent Extraction Details:

For agent extraction, confirm the selected files (.tar and keychain) are correctly loaded and displayed in the respective fields. Review the details to ensure accurate selection and mapping of the extracted files.

DMG Extraction Details:

For DMG extraction, verify the selected .dmg file is accurately loaded in the specified field. Review the details to ensure the correct .dmg file is chosen for analysis.

Proceed as Usual:

• Once all necessary files are selected and confirmed, proceed by clicking “Next” to initiate the analysis process.
• Follow the instructions provided in the wizard to continue with the analysis in Cellebrite Physical Analyzer.

By following these steps, you will be able to seamlessly import and analyze the extracted data set from Elcomsoft iOS Forensic Toolkit in Cellebrite Physical Analyzer.

Future development

We are currently in the process of examining the compatibility of our software output with another top-tier tool, Magnet AXIOM, and will provide a separate update on this. Additionally, we want to say that we are open to partnerships and collaborations, offering our software and detailed format specifications to other vendors such as MSAB and Compelson to facilitate compatibility efforts on their end. As part of our efforts, we are also working on converting DMG images to tar archives, aiming to simplify processes for those who prefer convenience. However, it’s essential to note that this is not the optimal solution overall, as DMG contains more file metadata.

Conclusion

In conclusion, the synergy between ElcomSoft’s cutting-edge extraction capabilities and meticulous analysis using specialized software, like those exemplified by Cellebrite’s solutions, is crucial for investigations that involve data retrieved from Apple devices. When used together, the two products empower forensic experts to delve deeper into digital evidence, facilitating a comprehensive and meticulous investigative process that stands at the forefront of modern forensic techniques.

In the world of digital forensics, there are various ways to analyze computer systems. You might be familiar live system analysis or investigating forensic disk images, but there’s yet another method called cold system analysis. Unlike live analysis where experts deal with active user sessions, cold system analysis works differently. It’s like a middle ground between live analysis and examining saved images of a computer’s storage. But why and when would someone use cold analysis? What can you do with it, and how does it compare to the usual methods?

What is cold system analysis?

Cold system analysis is frequently used in the field, yet the term itself is not quite as common as “live system analysis”, so it needs a bit of an explanation. The term was born after the “cold boot attack”, which in turn defines a very specific kind of attack allowing to extract secrets (such as encryption keys) from the system’s volatile memory. In the course of a cold boot attack, the expert boots the computer from a portable media (typically a USB flash drive). This is exactly what is used during the cold system analysis: the examiner boots the computer from a portable USB drive and attempts to gain access to the system and/or extract evidence from the computer.

What is “live system analysis” then? In live system analysis, the examiner attempts to gain control over an authenticated user session. This is only possible if the computer being investigated is turned on, and at least one user has an active session. The cold system analysis presumes that the initial state of the computer is powered off or hibernated, and no authenticated user session is available.

The opposite of live system analysis is the examination of forensic disk images, which are bit-precise captures of the user’s physical storage devices. Even if something happens to the data stored in the disk image during investigation, it is always possible to go back to the original file.

The risks of cold system analysis

Live system analysis is the riskiest of the three methods. An authenticated user session may be full of surprises. There may be unknown (and potentially dangerous) background processes running, and any available evidence can potentially self-destruct at any time. If the computer is connected to the network, much worse can happen, while breaking the network connection may trigger unknown, potentially dangerous tasks. Live system analysis is never forensically sound, and should be only performed after carefully weighing the risks.

Working with forensic disk images is the safest method, which at the same time is the most labor-intensive and time-consuming. This is the most forensically sound method.

Cold system analysis sits in between. By booting the user’s computer from a known good portable media, experts have access to a clean system with familiar forensic tools. However, it’s still the suspect’s computer, and user mistakes make room for irreversible accidents. One of the most common mistakes, by the way, would be hasting to reset the user’s Windows account password, which instantly and permanently locks the ability to access EFS encrypted files and any passwords stored in Web browsers such as Google Chrome or Microsoft Edge. However, when used carefully, cold system analysis can deliver significant benefits over the analysis of forensic disk images without most of the risks associated with live system analysis. Results obtained with cold system analysis may or may not be forensically sound depending on the tools and techniques you used.

Cold system analysis step by step

We made forensically sound cold system analysis easy with Elcomsoft System Recovery (ESR). Unlike competing tools, most of which are Linux-based, Elcomsoft System Recovery is based on the familiar Windows environment, thus being an ideal tool for investigating Windows computers.

Once you prepare a bootable USB drive by running the Elcomsoft System Recovery installer, you will be able to perform a wide range of tasks depending on whether or not the system partition is encrypted.

Two modes are available: the forensically sound, write-blocking “read only” mode, and the other mode in which you can modify user accounts by resetting passwords, assigning administrative privileges, and so on.

Once you boot into ESR, you’ll be able to choose between disk tools and account tools (SAM database).

Remove BitLocker protection

If the system partition is encrypted with BitLocker, there is very little you can do before unlocking the volume. In this scenario, you can boot into Elcomsoft System Recovery, capture the volume’s encryption metadata, bring the data to the lab and attempt to recover the original BitLocker password by running Elcomsoft Distributed Password Recovery.

Depending on the configuration of protectors used on the particular BitLocker volume (which mostly depends on whether or not the system has a TPM module), you may or may not be able to unlock the volume. More in Unlocking BitLocker: Can You Break That Password?

If you have a password or BitLocker recovery key to the system volume, ESR can unlock and mount the volume using the built-in BitLocker functionality of Windows PE. Once this is done, you can continue analyzing the disk, which is a huge time saver compared to the traditional imaging and decrypting workflow.

Collect existing passwords

Once you boot into Elcomsoft System Recovery, the tool will probe existing Windows account for common passwords. If a password is discovered, it will be displayed to allow further analysis.

Break Windows account passwords

What if the passwords are unknown? If this is the case, you will need to run an attack to recover the original passwords. To do that, you’ll need to extract encryption metadata (hashes), and use that data in Elcomsoft Distributed Password Recovery to launch the attack.

Unlock disk encryption

If the computer had not been shut down but was discovered in a state of hybrid sleep or hibernation, you may be able to find on-the-fly encryption keys (OTFE keys) to disk encryption tools such as BitLocker, TrueCrypt, VeraCrypt or PGP. These keys may be found in hibernation or page files. During cold system analysis, you can extract these files and save them on external media for further analysis with Elcomsoft Forensic Disk Decryptor.

Search for encrypted disks

Speaking of disk encryption, cold system analysis with ESR allows finding encrypted disks by running a thorough automated search.

Search for encrypted virtual machines

Along with disk encryption tools, encrypted virtual machines are among the most common cover-up tools. You can look for encrypted virtual machines in ESR, which, again, is an automated process. Once the tool finds an encrypted VM, it automatically saves the encryption metadata that you can use in Elcomsoft Distributed Password Recovery for breaking the original password.

Create forensic disk images

There is only so much you can do at the cold system analysis stage, and making disk images is one last shortcut you can take to speed up the investigation. Traditionally, experts would disassemble the computer, take the disks out and make their images with a specialized write blocking disk imaging device. ESR offers a shortcut, allowing to make forensic disk images without taking the drives out.

The quick and dirty of cold system analysis

Cold system analysis is as forensically sound as you make it. In certain cases, you may afford losing the “forensically sound” part for the sake of efficiency. A good example is emergency unlock of ex-employees’ Windows accounts, re-assigning administrative privileges or simply restoring the computer’s functionality by removing maliciously or accidentally set Syskey protection.

Unlock Windows accounts

The need for unlocking accounts of Windows users is common in organizations with under-administered networks. ESR makes this extremely easy to do; changing a password of any Windows user is literally a matter of several clicks. Note, however, that this is far from being forensically sound: if you reset a user’s password, any data encrypted with Windows DPAPI (e.g. encrypted file system, stored passwords etc.) will be permanently lost. This may still be acceptable in many cases, so here is the how-to article: How to Unlock Windows Systems with a Bootable Flash Drive

Assign administrative privileges

Assigning administrative privileges to a certain Windows account may be needed to restore full access to the system if the administrative password is lost or unknown. ESR makes this possible in a few clicks. The feature also works for accounts for which you’ve reset a password with Elcomsoft System Recovery.

Remove Syskey protection

If you haven’t heard about Windows Syskey protection, you are not alone. This feature does not provide any real security, but has the potential if becoming a great hassle if someone who knows about the feature accidentally or maliciously sets a Syskey password. We have an article on Syskey passwords: How to Reset or Recover Windows SYSKEY Passwords.

Elcomsoft iOS Forensic Toolkit (EIFT) is a powerful software designed to acquire data from various Apple devices, ranging from iPhones to HomePods. However, to make the most of this tool, you’ll need more than just the software itself. In this article, we will quickly review the mandatory and optional accessories that are essential for the effective use of the product.

Please note: through the course of this article, we provided links to Apple original hardware where available. However, these links are purely for reference purposes. You don’t have to to use the originals; third-party alternatives can be considered, which are widely available on well-known trade sites at a significantly lower cost.

The tool: Elcomsoft iOS Forensic Toolkit (EIFT)

iOS Forensic Toolkit is a feature-rich software that allows you to extract data from Apple devices. It offers a wide range of features and supports both advanced logical extraction and multiple low-level extraction methods ranging from agent-based file system extraction to forensically sound acquisition through checkm8, making it one of the most comprehensive tools available for this purpose. Obviously, you’ll need the Toolkit itself, but that’s not all: you will also need a USB protection dongle to run the product. If you are a new customer, you will receive the dongle in the mail. If you are renewing your license, the dongle can be easily updated online. To sum it up, EIFT consists of:

1. Elcomsoft iOS Forensic Toolkit (Windows, Linux, and Mac editions)
2. USB license dongle

A Mac, Linux, or Windows PC

EIFT is compatible with Windows, Linux, and macOS platforms. Some features are exclusive to Linux and macOS editions, and are not supported on Windows:

1. checkm8: This bootrom exploit, which our software relies on for forensically sound extractions, currently works only on macOS and Linux due to USB driver dependencies.
2. Serial debugging: Although not frequently required, there may be unique device/iOS combinations that need further debugging, and macOS and Linux editions support this feature.
3. SSH access: This feature is quite useful when you only need specific data instead of a full file system image, among other cases.

In addition, some features are only available in the Mac edition. Currently there is a single feature exclusive to macOS:

1. Agent extraction using non-developer accounts: This process is much simpler on macOS compared to other platforms.

We support and recommend Macs based on Apple Silicon, including the different versions of M1, M2, and M3 SoC.

Raspberry Pi Pico

The Pico is an affordable (in the $5-$10 range) microcontroller that is a must-have accessory for EIFT. We recommend obtaining three pieces to avoid reflashing the units when using them for different purposes. The Pico can be utilized for the following purposes:

1. Apple A5/A5X exploit: The Pico can be used to exploit these specific Apple chips.
2. Automated screen shots: The Pico enables automated screen capturing.
3. Automated entering into DFU mode (A11+ devices): The Pico simplifies the process of entering DFU mode for devices with A11 chips or later.

Additional cables and connections are required for these tasks, as mentioned in the following sections.

Raspberry Pi 4

We highly recommend using a Raspberry Pi 4 to assist installing the EIFT acquisition agent. This device helps in establishing a firewall to install the acquisition agent. While it’s possible to use the software macOS-based firewall alone, the Raspberry Pi solution is more reliable and user-friendly. We support Raspberry Pi 3B/3B+, Orange Pi 5, and Orange Pi R1 Plus RTS, yet we continue to recommend the Raspberry Pi 4 as the most versatile and community-supported option.

Additionally, you’ll need a USB-C power supply with the appropriate cable for the Raspberry Pi.

Cables

While you might assume that an Apple Lightning cable would suffice, it’s not nearly enough. The standard cables required are:

1. USB-C to Lightning (recommended for logical and agent-based acquisition; faster and more reliable than the USB-A variant)
2. USB-A to Lightning (required for checkm8-based acquisition)
3. USB-A to Apple 30-pin

In addition, you’ll need some extra cables:

1. Micro-USB to USB-A Female (OTG) for connecting the iPhone/iPad devices to the Raspberry Pi Pico
2. USB-A to micro-USB for flashing the Raspberry Pi Pico
3. Two Ethernet cables

Adapters

You’ll also need a few adapters, especially for devices other than the iPhone or iPad:

1. GoldenEye (Foxlink X892) adapter (for Apple TV)
2. Apple Watch Universal Adapter or individual 38/40/42/44mm adapters for Apple Watch S0/S1; S2/S3; S4/S5/S6, and SE (1^st gen).
3. Apple HomePod adapter (3D-printable)

Furthermore, these adapters are essential:

1. USB-A to 5V+ground Dupont pins (to power up Raspberry Pi Pico)
2. Apple original Lightning to USB 3 Camera Adapter
3. DIY adapter Lightning to 5V+ground+data Dupont pins for automating DFU mode on certain devices
4. USB-A to Ethernet
5. Lightning to Ethernet

Essential extras

You will require the following extras when performing certain activities:

1. microSD card and card reader: You’ll need these to boot the Raspberry Pi. You probably have a few of those laying around. A 4GB card is enough to boot the Raspberry Pi, yet faster versions are usually available only in larger capacities.
2. USB-C hub with USB-A ports: This is highly recommended as the checkm8 exploit works more reliably with it (although a USB-C to USB-A adapter can be used instead). You will also need one to plug the EIFT USB dongle if your computer is short of USB-A ports.
3. USB mouse: A USB mouse is a must for the screenshot solution, as it sometimes works more smoothly when used in conjunction with a mouse.

Optional extras

There are a few additional items that we recommend:

1. DSCD adapter for serial debugging: This adapter is recommended for solving issues with specific devices running specific versions of Apple’s operating system.
2. External disk (preferably NVMe with USB-C interface): An external disk is indispensable for saving device extractions. Make sure to use a disk with enough free space as modern mobile devices come with capacities of up to 1 TB.
3. Faraday bag and power bank.

Knowledge and expertise

No combination of hardware and software can fulfill all your mobile forensic needs. The acquisition methods available to retrieve data from a device depend on its model and operating system version. It’s crucial to be prepared in advance and have a thorough understanding of the available options.

Finally, it’s essential to understand that no single-button solution exists. Regardless of the software and hardware you possess, waiting for a magic one-click solution will not yield results. Comprehensive and effective mobile forensics requires expertise, effort, and a deep understanding of the tools at your disposal.

This guide covers the correct installation procedure for Elcomsoft low-level extraction agent, an integral part of iOS Forensic Toolkit that helps extracting the file system and keychain from supported iOS devices. This instruction manual provides a step-by-step guide for setting up a device and installing the extraction agent. We’ve included suggestions from troubleshooting scenarios and recommendations we derived during testing.

Introduction

This manual emerged from a series of events triggered by broken usage experience for some customers. The issue arose when attempting to access the phone’s file system right after extracting the keychain, leading to immediate reboots or sporadic connection losses. Surprisingly, after successful keychain extraction, re-applying the exploit was not feasible. Moreover, unclean reboots due to kernel panic caused a filesystem rollback, which introduced new issues on its own. As similar issues persisted, we were able to reproduce this behavior, and created a solution.

Prerequisites

Before initiating the installation process, ensure the following prerequisites are met:

• Computer date/time and online connectivity: Ensure that the date and time settings on the computer are accurate, and the computer is connected to the internet.
• Non-developer Apple accounts: Note that currently, non-developer accounts can only be used for sideloading the extraction agent on macOS systems. Consequentially, you will need the Mac edition of iOS Forensic Toolkit if you are using a non-developer account.
• Establish trusted relationships (before agent installation): Verify and establish trusted relationships between the phone and computer before installing the extraction agent.
• Recommended USB-C cable: We recommend using a USB-C cable. While not critical for sideloading and signing purposes, using this cable is beneficial for subsequent extractions.

Preparing the device

To ensure smooth installation and subsequent operation of the extraction agent, ensure that the device you are installing it on has sufficient charge and is correctly configured.

• Check date and time on the phone
  • Ensure that the date and time on your phone are accurate. If needed, adjust them to the current time. This step is crucial for the correct installation, signing, and validation of the extraction agent.

Installing the extraction agent

Next, sideload the extraction agent onto the iOS device, but don’t run it just yet.

• Install the extraction agent (do not run it yet)
  • Install the extraction agent on the device but refrain from launching it at this stage.
• Restart the phone
  • Perform a clean restart of the phone (clean power off and reboot).

Note: If you don’t do the reboot and the device panics, the pairing records or even the agent app itself may become corrupted due to unclean reboot. You may need to re-install the agent app if that happens.

Configuration and connectivity

Depending on the type of the Apple ID account, you may need to validate the agent’s digital signature before the first launch; otherwise you won’t be able to run it. This process occurs on the device being investigated, and requires connecting the device to an Apple signing server, which in turn poses a set of known risks we’ve discussed in Installing the Extraction Agent.

Note: this chapter only applies if you need to have the agent’s digital signature validated when using a regular/non-developer Apple ID for agent signing. Apple developer accounts created before June 2021 waive this requirement.

• Connect to hardware firewall / Mac with firewall script
• Verify agent signature via device settings
  • Navigate to “Settings -> General -> VPN and Device Management.”
  • Verify the digital signature of the extraction agent. Do not launch the agent yet; this step is solely to confirm the application’s signature.
• Restart the phone again
  • Perform another clean reboot of the phone.
• Launch extraction agent on the phone
  • Tap the agent app on the phone home screen to launch it. If prompted for “Developer Mode”, proceed to the next step.
• Enable Developer Mode (if prompted)
  • Navigate to “Settings -> Privacy and Security -> Developer Mode.”
  • Activate Developer Mode (this might require another reboot of the device).
• Confirm developer mode activation (only if enabling Developer Mode):
  • After the reboot, verify that Developer Mode is successfully enabled on your device.

Using the extraction agent

At this point, you can finally launch the extraction agent:

• Run the extraction agent
  • Launch the extraction agent on the device by tapping its app icon on the home screen.
• Disconnect from firewall (if used) and connect to computer
  • If you were using a hardware firewall, disconnect your phone from it and reconnect it to the computer.
• Start EIFT and follow instructions
  • Run iOS Forensic Toolkit on your computer and proceed.

Notes and recommendations

• File system integrity and device panic
  • Device panic causes unclean reboots. If you experience a device panic, the file system may be rolled back to a state prior to the panic to avoid corruption issues.
• Rollback impact on extraction agent
  • Be aware that a rollback following an exploit might affect the functionality of the agent app and/or cause the pairing record to disappear. A clean reboot of the device between major steps helps to minimize potential issues.
• Reinstalling the extraction agent
  • In case of corrupted records or application issues post-device panic, you may need to reinstall the agent app.

Following these steps should ensure a smooth setup and operation of the low-level extraction agent, minimizing the risk of potential cloud, device, and application-related problems.

Note: This manual is based on specific user experiences and testing scenarios. Adjustments may be necessary based on individual device configurations or software versions.

Final notes